Re: [OSL | CCIE_Security] VPN remote - how to change VPN client's subnet mask

Mon, 27 Jun 2011 09:45:13 -0700 

Thanks Poitr! tried on *nix machine - same! can't get /24
One other thing i can think of is that if i remove the split tunneling then
it might show up subnet mask + gw.

Will post here the results tomorrow.

Bruno - if you're awake - can you test without split-tunneling?

On Mon, Jun 27, 2011 at 11:35 PM, Piotr Matusiak <[email protected]> wrote:

> hmmm, I see /24 mask under 77.77.77.1 IP address.
> there is no default gateway as you can't have two interfaces with default
> gateway configured on windows machine.
> instead, cisco client installs something called Deterministic Network
> Enhancer which basically intercepts user traffic destined to the VPN tunnel.
>
> Regards,
> Piotr
>
>
>
> 2011/6/27 Serious CCIE <[email protected]>
>
>> Hi Poitr,
>> Labbed it up again..... same issue.
>> subnet mask 255.255.255.0 never get pushed to the client.
>>
>> Has anyone managed to get this before? does it work at all, I really never
>> tried to pin point this one!
>>
>>
>>
>> Windows 2000 IP Configuration
>>
>> Ethernet adapter Local Area Connection 5:
>>
>>     Connection-specific DNS Suffix  . :
>>     IP Address. . . . . . . . . . . . : 77.77.77.1 <-- address from
>> EasyVPN server pool
>>
>>     Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>     Default Gateway . . . . . . . . . :
>> <---------BLANK , never get anything here but everything works
>>
>> Ethernet adapter eth0:
>>
>>     Connection-specific DNS Suffix  . :
>>     IP Address. . . . . . . . . . . . : 55.55.4.111 <--- local address
>>
>>     Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>     Default Gateway . . . . . . . . . : 55.55.4.1
>>
>> ===========================================================================
>> Interface List
>> 0x1 ........................... MS TCP Loopback interface
>> 0x1000003 ...00 0c 29 a5 aa 2c ...... VMware Accelerated AMD PCNet Adapter
>> 0x1000004 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter
>>
>> ===========================================================================
>>
>> ===========================================================================
>> Active Routes:
>> Network Destination        Netmask          Gateway       Interface
>> Metric
>>           0.0.0.0          0.0.0.0        55.55.4.1     55.55.4.111      1
>>         55.55.4.0    255.255.255.0      55.55.4.111     55.55.4.111
>> 10
>>       55.55.4.111  255.255.255.255        127.0.0.1       127.0.0.1
>> 10
>>         55.55.6.2  255.255.255.255        55.55.4.1     55.55.4.111      1
>>        55.55.18.0    255.255.255.0      77.77.77.2     77.77.77.1      1
>>        55.55.19.0    255.255.255.0      77.77.77.2     77.77.77.1      1
>>    49.255.255.255  255.255.255.255      55.55.4.111     55.55.4.111
>> 10
>>         127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1      1
>>       77.77.77.0    255.255.255.0      77.77.77.1     77.77.77.1      1
>>       77.77.77.1  255.255.255.255        127.0.0.1       127.0.0.1      1
>>     77.77.77.255  255.255.255.255      77.77.77.1     77.77.77.1      1
>>         224.0.0.0        224.0.0.0      55.55.4.111     55.55.4.111
>> 10
>>         224.0.0.0        224.0.0.0      77.77.77.1     77.77.77.1      1
>>   255.255.255.255  255.255.255.255      55.55.4.111     55.55.4.111      1
>> Default Gateway:         55.55.4.1
>>
>> ===========================================================================
>> Persistent Routes:
>>   None
>>
>>
>>
>>
>> On Sun, Jun 26, 2011 at 9:57 PM, Serious CCIE <[email protected]>wrote:
>>
>>> don't have handy yet but it looks normal. as u've noticed in the
>>> configuration example , there is also a split tunneling so in route print i
>>> see split-tunnel too.
>>>
>>>
>>>
>>> On Sun, Jun 26, 2011 at 9:49 PM, Piotr Matusiak <[email protected]> wrote:
>>>
>>>> can you paste "route print " command output on windows host after vpn
>>>> client connection?
>>>>
>>>>
>>>>
>>>> 2011/6/26 Serious CCIE <[email protected]>
>>>>
>>>>> Hi Piotr, thanks.
>>>>>
>>>>> The configuration is the same as COPY & paste of below link:
>>>>>
>>>>>
>>>>> http://www.cisco.com/en/US/docs/routers/access/1800/1841/software/configuration/guide/ezvpn_ps5855_TSD_Products_Configuration_Guide_Chapter.html#wp1050158
>>>>>
>>>>>
>>>>> the only changes that I made to this  - added subnet mask command to
>>>>> below config
>>>>>
>>>>> crypto isakmp client configuration group VPN1
>>>>>
>>>>>   acl SPLIT_T
>>>>>
>>>>>   ip access-list extended SPLIT_T
>>>>>
>>>>>   permit ip 192.168.0.0 0.0.255.255 any
>>>>>
>>>>>   key cisco123
>>>>>
>>>>>   dns 192.168.168.183 192.168.226.120
>>>>>
>>>>>   wins 192.168.179.89 192.168.2.87
>>>>>
>>>>>   domain cisco.com
>>>>>
>>>>>   pool VPN-POOL
>>>>>
>>>>>   save-password
>>>>>
>>>>>
>>>>>
>>>>> On Sun, Jun 26, 2011 at 1:26 AM, Piotr Matusiak <[email protected]>wrote:
>>>>>
>>>>>> can you paste your config and related commands output?
>>>>>>
>>>>>> in general to make it work on IOS you must use "netmask" command and
>>>>>> to make it work on ASA you must add netmask to "ip local pool" command.
>>>>>>
>>>>>> Regards,
>>>>>> Piotr
>>>>>>
>>>>>>
>>>>>> 2011/6/25 Serious CCIE <[email protected]>
>>>>>>
>>>>>>> Hi Everyone - thanks for the replies...
>>>>>>> I was trying to do it on ASA.
>>>>>>>
>>>>>>> @ Piotr - I've tried that but I was still getting /32 - any idea?
>>>>>>>
>>>>>>>
>>>>>>> "I have tried putting subnet mask in client config on Server but
>>>>>>> still I get /32 bit subnet mask."
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Jun 24, 2011 at 2:35 AM, Piotr Matusiak <[email protected]>wrote:
>>>>>>>
>>>>>>>> if this is IOS then under group configuration there is "netmask"
>>>>>>>> command.
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Piotr
>>>>>>>>
>>>>>>>>
>>>>>>>> 2011/6/23 Serious CCIE <[email protected]>
>>>>>>>>
>>>>>>>>> VPN-SERVER-------------Internet---------VPN-CLIENT
>>>>>>>>>
>>>>>>>>> Is it possible when client get's an IP address  from the POOL1 have
>>>>>>>>> a subnet mask of 255.255.255.0 for example?
>>>>>>>>>
>>>>>>>>> In most cases when client dials into the server it gets an IP
>>>>>>>>> address and the default subnet mask of /32 (
>>>>>>>>> 192.159.1.39/255.255.255.255)
>>>>>>>>>
>>>>>>>>> I have tried putting subnet mask in client config on Server but
>>>>>>>>> still I get /32 bit subnet mask.
>>>>>>>>>
>>>>>>>>> thanks
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> For more information regarding industry leading CCIE Lab training,
>>>>>>>>> please visit www.ipexpert.com
>>>>>>>>>
>>>>>>>>> Are you a CCNP or CCIE and looking for a job? Check out
>>>>>>>>> www.PlatinumPlacement.com
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to